With the rise of the Internet and the use of computer networks by many businesses, network security has become increasingly important. The rise of e-commerce has led to organizations opening their networks to wider audiences over the Internet in order to stay competitive. Such open networks expose the organizations to intrusions—attempts to comprise the confidentiality, integrity, or availability, or to bypass the security mechanisms of a computer system or network. Additionally, companies storing vast amounts of consumer data need to provide some reasonable method for assuring privacy.
Attackers or hackers have continued to alter their attacks and network subversion methods, and vulnerabilities continue to exist in many areas including network misconfiguration, poorly engineered software, user neglect and carelessness, and basic design flaws in protocols and operating systems. Furthermore, as the sophistication of tools used by hackers has increased, the technical knowledge required to attack a network has fallen. Additionally, attacks are often the result of malicious insider activity which cannot be prevented by perimeter defenses.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusion. An intrusion detection system (IDS) is a software product or hardware device that automates the intrusion detection process, and an IDS typically includes three functional components: information sources, analysis, and response. Analysis strategy falls into two basic types: knowledge-based misuse detection and behavioral-based anomaly detection. Behavioral-based detection methods use information about repetitive and usual behavior on the systems they monitor and note events that diverge from expected usage patterns.
Intrusion detection allows organizations to protect their systems from the threats that come with increasing network connectivity and reliance on information systems. Given the level and nature of modem network security threats, IDSs have gained acceptance as a necessary addition to every organization's security infrastructure. IDSs automatically review massive amounts of network and system data in real time, identify suspicious activity, provide real-time automated notification to security personnel, guide further investigation, and sometimes automatically respond to specified attacks. Properly used, an IDS can detect common attacks, attempts to exploit known weaknesses, network probes, or critical resource overloads in a reasonably timely manner. By identifying successful invalid activity, IDSs can indirectly spotlight network and system vulnerabilities, enabling fixes and fine-tuning.
Comprehensive network security requires multiple layers. An effective IDS includes both knowledge-based and behavioral-based components. Most vendors provide network security products that protect only against known or “signature” patterns of attack, and typical behavioral-based components are limited to single anomaly detection without looking for behavioral patterns over a longer period of time. Existing products ignore troublesome new behavioral patterns that have yet to be detected or documented. Hackers often follow certain behavioral patterns that double as calling cards for their personal invasive techniques. For example, a hacker may attack all of the hacker's targeted networks by a recognizable and consistent sequence of port access attempts, but the pattern is recognized as odd or alarming only after an attack has occurred and a profile for that behavior is documented and publicized. Signature and basic behavioral methods of threat detection are invaluable, but they fall short as hackers determine new ways to attack or adjust their old behavior to attract less attention.
Many serious intruders perform considerable amounts of probing work within a network to learn how it is constructed and understand its weaknesses prior to a concerted attack. This reconnaissance work is commonly recorded in automated server and network logs, but largely remains unnoticed by most network IDSs if the traffic anomaly does not fit the profiles of known or common “signature” hacks. Accordingly, there is a need for a system with adaptive technology that, over time, gathers information on a particular system and establishes a pattern of normal traffic. Such a system is able to more intelligently determine which network traffic signatures do not fit the normal profiles for the individual system and alerts an intrusion detection team for further investigation and appropriate rapid defensive action.